In SERVER-65088 we created a new role called 'directShardOperations' that didn't have any privilege associated to it, it was just a placeholder for the upcoming work.

In 7.0, this role should be associated with a new privilege that allows users to perform direct operations against shards (i.e. without going through the mongos).

Sharding EMEA will need a way to query whether that privilege is enabled given an operation context (through the AuthorizationSession , using the client associated with the opCtx ?).

Some customers might want to opt in to this role, we don't expect it to happen very often but it might happen: the most common use case would be to manually delete orphan documents: instead of relying on the native way of removing orphan documents after a migration (i.e. range deletions) we had some customers in the past that manually removed them. Since those documents are just an artifact of the chunk migration, they couldn't remove them connecting through the mongos: they would have removed the legit documents on the recipient shard instead of the orphan documents on the donor shard. So they ended up doing this cleanup connecting directly to the shards.